Full compliance with ISO/IEC 27001:2022 and a solid foundation for the next certification, SOC 2 Type 2
Toggl Track·IT
#ISO 27001#Training#Testing#Audit
Toggl achieved ISO 27001 without halting operations.
Thanks to dotlaw, we not only passed the audit successfully but, above all, approached it confident that every detail had been taken care of during the implementation.
Key results
Key results.
The SecOps and Legal & Compliance teams work more efficiently, with less manual effort and better control over data security
Enterprise clients who previously stalled contracts at the vendor verification stage now move through it smoothly
The entire international team understands its security responsibilities, not as dry procedures but as a real, everyday practice
Context
The certificate that opens the door to enterprise.
Enterprise clients have one requirement before they sign a contract with a SaaS vendor: an information security certificate. For Toggl, an Estonian provider of time-tracking tools with thousands of clients globally, ISO 27001 was the ticket to larger contracts and faster negotiations.
The problem: a fully remote team spread across the globe, no physical IT infrastructure, and a real concern that certification would mean months of documentation that would grind daily operations to a halt. Toggl needed a certificate that worked on their terms, not the other way around. Toggl is an Estonian company offering SaaS tools. Its best-known product, Toggl Track, is a popular time-tracking app. The team works 100% remotely, is spread across different countries, and serves thousands of clients worldwide.
Challenges
What Toggl had to overcome.
Before the implementation began, Toggl faced challenges typical of fast-growing tech companies. Combined with a fully remote model, however, they created an exceptionally complex situation.
No formalized risk and vendor management processes, making it hard to control how data flows across the organization and its partners
No physical IT infrastructure and a team spread around the world. A standard approach to security simply won't work in a fully remote model
Enterprise clients require auditable proof of compliance. Without it, negotiations drag on or fall through entirely
Building a security culture across an international team called for simple, unambiguous procedures and effective training
Concern about excessive bureaucracy. ISO 27001 is associated with extensive documentation that could undermine operational flexibility
Solution
A security system that runs on Toggl's own tools.
The key was building a security system that runs on the tools Toggl already uses, rather than layering a new set of processes on top of existing operations.
01
Documentation in Notion
The security policy was implemented in a tool Toggl already had in its stack. It is accessible to auditors and teams at the same time, without forcing any changes to the workflow.
02
Central vendor management system
Faster, more effective vetting of business partners. Every new vendor goes through a standard risk assessment process, with no ad-hoc decisions.
03
Risk management integrated with operations
A risk register maintained by the Toggl team with our support. Risk decisions are made by people who understand the business, not by external auditors.
04
Training tailored to the team
Instead of generic security training, we ran contextualized sessions for SecOps, Engineering, Customer Support, and Sales. Each team understands ITS OWN responsibilities.
Process
Five steps to certification.
- 01
Initial audit and gap identification
Analysis of the current state, asset mapping, and identification of areas that need improvement.
- 02
Risk assessment
Identifying and assessing risks, defining the context, and evaluating vulnerabilities.
- 03
Implementing policies and procedures
Developing ISO 27001 compliant documentation in collaboration with Toggl's teams.
- 04
Training and system testing
Building security awareness across the entire distributed team.
- 05
Audit support and certification
Guiding the company through the audit and obtaining ISO/IEC 27001:2022 certification.
Value
More than a certificate.
New sales opportunities
The certification opened the door to working with larger enterprise clients and noticeably sped up negotiations that previously stalled at the vendor review stage.
ISO 27001 integrated with operations
No unnecessary procedures, no operational debt. The security system runs on the tools Toggl was already using.
A real security culture
The entire international team understands its responsibilities and applies them in practice, not as dry procedures but as part of everyday work.
A foundation for the next certifications
SOC 2 Type 2 and ISO 27701 are now genuinely within reach; a solid base means Toggl does not start from scratch with each new certification.
In the client's words
„The experts at dotlaw helped us not only achieve ISO 27001 certification but, above all, work through the entire process in an organized way that fit our company. From the first internal audit, through implementation planning and the analysis of our processes, to training and the certification audit, they were with us at every stage, answering our questions and helping us solve the challenges that came up. It was thanks to their support that we managed to integrate ISO 27001 with our existing processes and prepare effectively for certification.”
FAQ
Frequently asked questions.
Implementing ISO 27001 in a remote SaaS company means adapting the standard requirements to an organization with no physical infrastructure. The key is to build an information security management system based on the tools the team already uses, rather than layering on a new set of processes. Security policies, vendor management, and training all have to work in a distributed environment. Toggl completed a full ISO 27001 implementation without pausing operations, integrating its documentation directly into Notion.
Your company needs the certification, without pausing what you are building.
Let's talk about an ISO 27001 implementation that works around your workflow, not the other way around.
Let's talk